CVE Catalog

CVE-2026-34110

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.55%

42th percentile — higher than 42% of all known CVEs

Summary

A vulnerability in the Guardian language-system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'id' parameter, which is passed unsanitized to the PHP exec() function in complex_start.php.

Risk Assessment

An attacker can gain full control of the server, steal data, install malware, or disrupt services, posing a critical threat to the confidentiality, integrity, and availability of the system.

Recommendation

Immediately update the Guardian language-system to the latest patched version or apply a temporary fix by validating and sanitizing the 'id' parameter and avoiding direct use of exec() with user input.

Original NVD description (English source)

Guardian language-system passes the id GET parameter directly into a PHP exec() call in complex_start.php (line 14) without sanitization: exec(\"php jobs/complex.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS